DHCP-DNS problems

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

DHCP-DNS problems

Samba - General mailing list
Hello there.
So, I have a Samba AD setup, with DHCP and samba_dlz  setup as described in
the wiki.

However, I find that after a while, dynamic DHCPD updates stop working.
The fix is for me to restart the named server.

When in this state, I get log messages like:

 DHCPREQUEST for 192.168.52.232 (192.168.60.2) from 8c:be:be:0d:cf:3c
(RedmiNote4-Gj?gur) via 192.168.52.253
Dec 18 15:39:44 dc02 dhcpd: DHCPACK on 192.168.52.232 to 8c:be:be:0d:cf:3c
(RedmiNote4-Gj?gur) via 192.168.52.253
Dec 18 15:39:46 dc02 dhcpd: domain is rvx.is
Dec 18 15:39:46 dc02 dhcpd: doing add
Dec 18 15:39:46 dc02 dhcpd: update failed: NOTAUTH
Dec 18 15:39:47 dc02 dhcpd: update failed: NOTAUTH
Dec 18 15:39:47 dc02 logger: DHCP-DNS Update failed: 22


In this state, clearing the /tmp/dhcpd-dyndns.cc and/or regeneraing the
/etc/dhcpduser.keytab will not fix things.
Only restarting the "named"  server does, after which I get stuff lke:
Dec 18 15:41:38 dc02 dhcpd: domain is rvx.is
Dec 18 15:41:38 dc02 dhcpd: doing add
Dec 18 15:41:39 dc02 named[17215]: samba_dlz: starting transaction on zone
rvx.is
Dec 18 15:41:39 dc02 named[17215]: samba_dlz: allowing update of
signer=dhcpduser\@RVX.IS name=RedmiNote4-Gj?gur.rvx.is tcpaddr=127.0.0.1
type=A key=17359283
17.sig-dc02.rvx.is/160/0
etc...

I am running centos 7, bind 9.9.4,
Samba 4.7.3 compiled from sources.


From what I can gather, /usr/local/bin/dhcpd-dyndns.sh is talking to the
local samba daemon.  Samba AD maintains the actual DNS entries.  Why does
the AD need confirmation with the bind daemon to update its internal
database?  Shouldn't the bind dameon, using samba_dlz, just contain the
local DC when serving queries?

Does anybody else have this problem?

Cheers!


--
Kv,
Kristján Valur Jónsson, RVX
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP-DNS problems

Samba - General mailing list
On Mon, 18 Dec 2017 15:55:10 +0000
Kristján Valur Jónsson via samba <[hidden email]> wrote:

> Hello there.
> So, I have a Samba AD setup, with DHCP and samba_dlz  setup as
> described in the wiki.
>
> However, I find that after a while, dynamic DHCPD updates stop
> working. The fix is for me to restart the named server.
>
> When in this state, I get log messages like:
>
>  DHCPREQUEST for 192.168.52.232 (192.168.60.2) from 8c:be:be:0d:cf:3c
> (RedmiNote4-Gj?gur) via 192.168.52.253
> Dec 18 15:39:44 dc02 dhcpd: DHCPACK on 192.168.52.232 to
> 8c:be:be:0d:cf:3c (RedmiNote4-Gj?gur) via 192.168.52.253
> Dec 18 15:39:46 dc02 dhcpd: domain is rvx.is
> Dec 18 15:39:46 dc02 dhcpd: doing add
> Dec 18 15:39:46 dc02 dhcpd: update failed: NOTAUTH
> Dec 18 15:39:47 dc02 dhcpd: update failed: NOTAUTH
> Dec 18 15:39:47 dc02 logger: DHCP-DNS Update failed: 22
>
>
> In this state, clearing the /tmp/dhcpd-dyndns.cc and/or regeneraing
> the /etc/dhcpduser.keytab will not fix things.
> Only restarting the "named"  server does, after which I get stuff lke:
> Dec 18 15:41:38 dc02 dhcpd: domain is rvx.is
> Dec 18 15:41:38 dc02 dhcpd: doing add
> Dec 18 15:41:39 dc02 named[17215]: samba_dlz: starting transaction on
> zone rvx.is

Even this looks wrong, I would expect something like this:

Dec 18 07:43:59 dc3 dhcpd: DHCPREQUEST for 192.168.0.111 from cc:4e:ec:e9:c8:d3 via eth0
Dec 18 07:43:59 dc3 dhcpd: DHCPACK on 192.168.0.111 to cc:4e:ec:e9:c8:d3 via eth0
Dec 18 07:47:33 dc3 dhcpd: Commit: IP: 192.168.0.88 DHCID: 1:ec:8:6b:c:cb:c2 Name: devstation
Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh
Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[1] = add
Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[2] = 192.168.0.88
Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[3] = 1:ec:8:6b:c:cb:c2
Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[4] = devstation
Dec 18 07:47:33 dc3 named[22890]: samba_dlz: starting transaction on
zone samdom.example.com

You don't seem to have the lines that contain the required info.

> Dec 18 15:41:39 dc02 named[17215]: samba_dlz: allowing update of
> signer=dhcpduser\@RVX.IS name=RedmiNote4-Gj?gur.rvx.is
> tcpaddr=127.0.0.1 type=A key=17359283
> 17.sig-dc02.rvx.is/160/0
> etc...
>
> I am running centos 7, bind 9.9.4,
> Samba 4.7.3 compiled from sources.
>
>
> From what I can gather, /usr/local/bin/dhcpd-dyndns.sh is talking to
> the local samba daemon.

No, the script uses nsupdate to update the records in AD.

>  Samba AD maintains the actual DNS entries.
> Why does the AD need confirmation with the bind daemon to update its
> internal database?  Shouldn't the bind dameon, using samba_dlz, just
> contain the local DC when serving queries?
>
> Does anybody else have this problem?
>

Not that I am aware.

Can you post (or send them to me direct), the script you are using
(yes, I know it is the on wiki, but I want to check yours), your
dhcpd.conf file and your named.conf file(s)
 
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP-DNS problems

Samba - General mailing list
On 18 December 2017 at 16:20, Rowland Penny via samba <[hidden email]
> wrote:

>
>
> Even this looks wrong, I would expect something like this:
>
> Dec 18 07:43:59 dc3 dhcpd: DHCPREQUEST for 192.168.0.111 from
> cc:4e:ec:e9:c8:d3 via eth0
> Dec 18 07:43:59 dc3 dhcpd: DHCPACK on 192.168.0.111 to cc:4e:ec:e9:c8:d3
> via eth0
> Dec 18 07:47:33 dc3 dhcpd: Commit: IP: 192.168.0.88 DHCID:
> 1:ec:8:6b:c:cb:c2 Name: devstation
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[0] =
> /usr/local/bin/dhcp-dyndns.sh
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[1] = add
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[2] = 192.168.0.88
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[3] = 1:ec:8:6b:c:cb:c2
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[4] = devstation
> Dec 18 07:47:33 dc3 named[22890]: samba_dlz: starting transaction on
> zone samdom.example.com
>
> You don't seem to have the lines that contain the required info.
>
Yes, funny it doesn't show up in /var/log/messages, but journalctl shows
it.  Here is an equivalent output:
Dec 18 14:45:20 dc02.rv

Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107 DHCID:
1:a0:ce:c8:e:35:7c Name: Dadis-MBP
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[1] = add
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[2] =
192.168.62.107
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[3] =
1:a0:ce:c8:e:35:7c
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[4] =
Dadis-MBP
Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: domain is rvx.is
Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: doing add
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:45:30 dc02.rvx.is logger[15729]: DHCP-DNS Update failed: 22
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: execute:
/usr/local/bin/dhcp-dyndns.sh exit status 5632
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPREQUEST for 192.168.62.107 from
a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPACK on 192.168.62.107 to
a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254
Dec 18 14:45:48 dc02.rvx.is named[332]: validating @0x6dbff148:
paypal.adtag.where.com A: no valid signature found
Dec 18 14:46:46 dc02.rvx.is named[332]: validating @0x6dc25158:
crl.pki.goog A: no valid signature found
Dec 18 14:47:54 dc02.rvx.is samba[449]: [2017/12/18 14:47:54.504700,  0]
../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
Dec 18 14:47:54 dc02.rvx.is samba[449]:
 ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code
110
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107 DHCID:
1:a0:ce:c8:e:35:7c Name: Dadis-MBP
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[1] = add
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[2] =
192.168.62.107
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[3] =
1:a0:ce:c8:e:35:7c
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[4] =
Dadis-MBP
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: domain is rvx.is
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: doing add
Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6e5e4528:
www.perforce.com A: no valid signature found
Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6dc28378: perforce.com
A: no valid signature found
Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:49:02 dc02.rvx.is logger[15810]: DHCP-DNS Update failed: 22
Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: execute:
/usr/local/bin/dhcp-dyndns.sh exit status 5632



>
> No, the script uses nsupdate to update the records in AD.
>
Aha, ok, then it makes sense that restarting named will fix it. It would
appear that named goes into some sort of huff.


>
> Can you post (or send them to me direct), the script you are using
> (yes, I know it is the on wiki, but I want to check yours), your
> dhcpd.conf file and your named.conf file(s)
>
Sure.  This is a two-weeks-old setup, and like I said, it works initially,
then gets into trouble..  I'll send you the config.


--
Kv,
Kristján Valur Jónsson, RVX
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP-DNS problems

Samba - General mailing list
On Mon, 18 Dec 2017 17:24:18 +0000
Kristján Valur Jónsson via samba <[hidden email]> wrote:

> On 18 December 2017 at 16:20, Rowland Penny via samba
> <[hidden email]
> > wrote:
>
> >
> >
> > Even this looks wrong, I would expect something like this:
> >
> > Dec 18 07:43:59 dc3 dhcpd: DHCPREQUEST for 192.168.0.111 from
> > cc:4e:ec:e9:c8:d3 via eth0
> > Dec 18 07:43:59 dc3 dhcpd: DHCPACK on 192.168.0.111 to
> > cc:4e:ec:e9:c8:d3 via eth0
> > Dec 18 07:47:33 dc3 dhcpd: Commit: IP: 192.168.0.88 DHCID:
> > 1:ec:8:6b:c:cb:c2 Name: devstation
> > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[0] =
> > /usr/local/bin/dhcp-dyndns.sh
> > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[1] = add
> > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[2] = 192.168.0.88
> > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[3] =
> > 1:ec:8:6b:c:cb:c2 Dec 18 07:47:33 dc3 dhcpd: execute_statement
> > argv[4] = devstation Dec 18 07:47:33 dc3 named[22890]: samba_dlz:
> > starting transaction on zone samdom.example.com
> >
> > You don't seem to have the lines that contain the required info.
> >
> Yes, funny it doesn't show up in /var/log/messages, but journalctl
> shows it.  

If that is the case, then I will not fix the logging, it works on my
computer.

> Here is an equivalent output:
> Dec 18 14:45:20 dc02.rv
>
> Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107
> DHCID: 1:a0:ce:c8:e:35:7c Name: Dadis-MBP
> Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[0] =
> /usr/local/bin/dhcp-dyndns.sh
> Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[1] =
> add Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[2]
> = 192.168.62.107
> Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[3] =
> 1:a0:ce:c8:e:35:7c
> Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[4] =
> Dadis-MBP
> Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: domain is rvx.is
> Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: doing add
> Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> Dec 18 14:45:30 dc02.rvx.is logger[15729]: DHCP-DNS Update failed: 22
> Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: execute:
> /usr/local/bin/dhcp-dyndns.sh exit status 5632
> Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPREQUEST for
> 192.168.62.107 from a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254
> Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPACK on 192.168.62.107 to
> a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254
> Dec 18 14:45:48 dc02.rvx.is named[332]: validating @0x6dbff148:
> paypal.adtag.where.com A: no valid signature found
> Dec 18 14:46:46 dc02.rvx.is named[332]: validating @0x6dc25158:
> crl.pki.goog A: no valid signature found
> Dec 18 14:47:54 dc02.rvx.is samba[449]: [2017/12/18 14:47:54.504700,
> 0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> Dec 18 14:47:54 dc02.rvx.is samba[449]:
>  ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error
> code 110
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107
> DHCID: 1:a0:ce:c8:e:35:7c Name: Dadis-MBP
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[0] =
> /usr/local/bin/dhcp-dyndns.sh
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[1] =
> add Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[2]
> = 192.168.62.107
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[3] =
> 1:a0:ce:c8:e:35:7c
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[4] =
> Dadis-MBP
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: domain is rvx.is
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: doing add
> Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6e5e4528:
> www.perforce.com A: no valid signature found
> Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6dc28378:
> perforce.com A: no valid signature found
> Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> Dec 18 14:49:02 dc02.rvx.is logger[15810]: DHCP-DNS Update failed: 22
> Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: execute:
> /usr/local/bin/dhcp-dyndns.sh exit status 5632
>
>
>
> >
> > No, the script uses nsupdate to update the records in AD.
> >
> Aha, ok, then it makes sense that restarting named will fix it. It
> would appear that named goes into some sort of huff.
>
>
> >
> > Can you post (or send them to me direct), the script you are using
> > (yes, I know it is the on wiki, but I want to check yours), your
> > dhcpd.conf file and your named.conf file(s)
> >
> Sure.  This is a two-weeks-old setup, and like I said, it works
> initially, then gets into trouble..  I'll send you the config.

Mine has worked for over 5 years ;-)
I will await the files.

Rowland


 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP-DNS problems

Samba - General mailing list
On Tue, 2 Jan 2018 15:11:59 +0000
Kristján Valur Jónsson <[hidden email]> wrote:

> Here are log files from my two DCs that are set up in redundant DHCP
> mode. One of them is running with the -v flag in dhcp-dyndns, hence
> is much more verbose.
> dc02 is the primary, dc03 is secondary
> log_dc02, log_dc03, show a failed dyndns session from Fridriks_iphone.
>
> After restarting named (systemctl restart bind), there is a
> successful dhcp from my Redmi phone, in log2_dc02, log2_dc03
>
> See anything?
>
>
> On 18 December 2017 at 17:42, Rowland Penny via samba
> <[hidden email]
> > wrote:
>
> > On Mon, 18 Dec 2017 17:24:18 +0000
> > Kristján Valur Jónsson via samba <[hidden email]> wrote:
> >
> > > On 18 December 2017 at 16:20, Rowland Penny via samba
> > > <[hidden email]
> > > > wrote:
> > >
> > > >
> > > >
> > > > Even this looks wrong, I would expect something like this:
> > > >
> > > > Dec 18 07:43:59 dc3 dhcpd: DHCPREQUEST for 192.168.0.111 from
> > > > cc:4e:ec:e9:c8:d3 via eth0
> > > > Dec 18 07:43:59 dc3 dhcpd: DHCPACK on 192.168.0.111 to
> > > > cc:4e:ec:e9:c8:d3 via eth0
> > > > Dec 18 07:47:33 dc3 dhcpd: Commit: IP: 192.168.0.88 DHCID:
> > > > 1:ec:8:6b:c:cb:c2 Name: devstation
> > > > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[0] =
> > > > /usr/local/bin/dhcp-dyndns.sh
> > > > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[1] = add
> > > > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[2] =
> > > > 192.168.0.88 Dec 18 07:47:33 dc3 dhcpd: execute_statement
> > > > argv[3] = 1:ec:8:6b:c:cb:c2 Dec 18 07:47:33 dc3 dhcpd:
> > > > execute_statement argv[4] = devstation Dec 18 07:47:33 dc3
> > > > named[22890]: samba_dlz: starting transaction on zone
> > > > samdom.example.com
> > > >
> > > > You don't seem to have the lines that contain the required info.
> > > >
> > > Yes, funny it doesn't show up in /var/log/messages, but journalctl
> > > shows it.
> >
> > If that is the case, then I will not fix the logging, it works on my
> > computer.
> >
> > > Here is an equivalent output:
> > > Dec 18 14:45:20 dc02.rv
> > >
> > > Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107
> > > DHCID: 1:a0:ce:c8:e:35:7c Name: Dadis-MBP
> > > Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[0]
> > > = /usr/local/bin/dhcp-dyndns.sh
> > > Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[1]
> > > = add Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement
> > > argv[2] = 192.168.62.107
> > > Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[3]
> > > = 1:a0:ce:c8:e:35:7c
> > > Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[4]
> > > = Dadis-MBP
> > > Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: domain is rvx.is
> > > Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: doing add
> > > Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> > > Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> > > Dec 18 14:45:30 dc02.rvx.is logger[15729]: DHCP-DNS Update
> > > failed: 22 Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: execute:
> > > /usr/local/bin/dhcp-dyndns.sh exit status 5632
> > > Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPREQUEST for
> > > 192.168.62.107 from a0:ce:c8:0e:35:7c (Dadis-MBP) via
> > > 192.168.62.254 Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPACK on
> > > 192.168.62.107 to a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254
> > > Dec 18 14:45:48 dc02.rvx.is named[332]: validating @0x6dbff148:
> > > paypal.adtag.where.com A: no valid signature found
> > > Dec 18 14:46:46 dc02.rvx.is named[332]: validating @0x6dc25158:
> > > crl.pki.goog A: no valid signature found
> > > Dec 18 14:47:54 dc02.rvx.is samba[449]: [2017/12/18
> > > 14:47:54.504700,
> > > 0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> > > Dec 18 14:47:54 dc02.rvx.is
> > > samba[449]: ../source4/dsdb/dns/dns_update.c:290: Failed DNS
> > > update - with error code 110 Dec 18 14:49:01 dc02.rvx.is
> > > dhcpd[318]: Commit: IP: 192.168.62.107 DHCID: 1:a0:ce:c8:e:35:7c
> > > Name: Dadis-MBP Dec 18 14:49:01 dc02.rvx.is dhcpd[318]:
> > > execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh
> > > Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[1]
> > > = add Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement
> > > argv[2] = 192.168.62.107
> > > Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[3]
> > > = 1:a0:ce:c8:e:35:7c
> > > Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[4]
> > > = Dadis-MBP
> > > Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: domain is rvx.is
> > > Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: doing add
> > > Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> > > Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6e5e4528:
> > > www.perforce.com A: no valid signature found
> > > Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6dc28378:
> > > perforce.com A: no valid signature found
> > > Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> > > Dec 18 14:49:02 dc02.rvx.is logger[15810]: DHCP-DNS Update
> > > failed: 22 Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: execute:
> > > /usr/local/bin/dhcp-dyndns.sh exit status 5632
> > >
> > >
> > >
> > > >
> > > > No, the script uses nsupdate to update the records in AD.
> > > >
> > > Aha, ok, then it makes sense that restarting named will fix it. It
> > > would appear that named goes into some sort of huff.
> > >
> > >
> > > >
> > > > Can you post (or send them to me direct), the script you are
> > > > using (yes, I know it is the on wiki, but I want to check
> > > > yours), your dhcpd.conf file and your named.conf file(s)
> > > >
> > > Sure.  This is a two-weeks-old setup, and like I said, it works
> > > initially, then gets into trouble..  I'll send you the config.
> >
> > Mine has worked for over 5 years ;-)
> > I will await the files.
> >
> > Rowland
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
>

OK, I have have looked at the logs you sent me, it looks like you have
a kerberos problem, can you post
your /etc/hosts, /etc/hostname, /etc/krb5.conf, /etc/dhcp/dhcpd.conf,
your named files and smb.conf file.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP-DNS problems

Samba - General mailing list
On Tue, 2 Jan 2018 16:15:14 +0000
Kristján Valur Jónsson <[hidden email]> wrote:

> Sure, here it is.
> However, notice that named appears to enter a state where it refuses
> the updates, and restarting *only *named, fixes it.  Unsure how to
> explain that. I also tried removing the cached samba credentials
> from /tmp and recreating them, etc, but no luck.  The credentials as
> used by dhcp-dyndns appear to be ok, only named won't accept them....
> Anyway, see the attached archive.
>

Not a lot wrong there, apart from:

/etc/hostname should only contain, the short hostname e.g. dc02

I would change /etc/hosts on dc02 to this:
127.0.0.1 localhost
::1 localhost
<dc02 ipaddress> dc02.rvx.is dc02
Repeat for the other DCs

smb.conf seems to be missing 'idmap_ldb:use rfc2307  = yes'

'named.conf' has this line: recursion yes;

nine lines above it is this:

- If you are building an AUTHORITATIVE DNS server, do NOT enable
  recursion.

All AD DCs running a dns server are 'AUTHORITATIVE'

You seem to be running dhcp in ways I never thought of, but it should
work, I think that for some reason the kerberos ticket is expiring and
not being renewed.

Try making the changes I suggested above and see how you go on. If it
fails again, check if '/tmp/dhcp-dyndns.cc' exists and if it has
expired. If it doesn't exist or has expired, try running this as root:

kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc
[hidden email]

Where 'XXX.XX' is your uppercase realm name.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP-DNS problems

Samba - General mailing list
On Wed, 3 Jan 2018 10:49:36 +0000
Kristján Valur Jónsson <[hidden email]> wrote:

> Thanks for your comments.  The settings are as they are since I used
> the default Centos settings as much as possible, adopting the
> functional difference from the wiki.

I understand this, it is just that when I try out red-hat distros, I
have to make the changes I suggested, or it doesn't work for me ;-)

> Interesting bit about recursion, will fix.  Actually this explains one
> funny bit:  These DCs are servicing our internal domain, rvx.is, in
> the 192.168.x.x. range.  However, we also do have an external
> (internet visible) domain server outside, for such external stuff
> such as www.rvx.is. Choosing the same dns name for the internal and
> external net was not my idea.

Your AD domain should have been a subdomain of your main domain, but
saying this will not help you now, unless you can start again because
you cannot change a Samba AD domain name.

> and making dns lookups inside, things
> not found will also recurse to the external ones.

It is 'forward' not 'recurse' ;-)
Your AD dns server should be authoritative for the AD domain and should
forward anything unknown to a dns server outside the AD dns domain.

>  I'm not sure how
> that is a bad thing, but it is actually not needed so I will switch
> it off.
>
> As for the kerberos ticket:  I already explained that I tried
> removing and refreshing the ticket in the /tmp folder.  None of this
> has any effect. Only restarting Bind will cause things to start
> working.  To me, it looks rather that bind is suddenly having trouble
> accepting kerberos authentication.

Is it that Bind is having problems, or is the ticket expiring and not
getting renewed ?

> Is it possible that named is caching the authentication, comparing the
> incoming ticket with something it has already verified, and if the
> ticket changes (because /tmp/dhcp-dyndns.cc was regenerated) that
> named will refuse the connection?  

Not that I am aware of (unless it is something to do with systemd ?)
When the ticket is renewed, it just gets replaced.

>Is this authentication part of
> named itself or dlz_bind9_9.so?  (I'm running "BIND
> 9.9.4-RedHat-9.9.4-51.el7_4.1 (Extended Support Version)"), and SMB
> 4.7.4. compiled from sources.

The script uses 'nsupdate' (a part of Bind) to carry out the updates
and uses kerberos for the authentication. Unless the red-hat version of
9.9.4 is different from the 9.9.4 version that comes with ubuntu 14.04,
it should just work.

>
>
> Things are running smoothly now, once they start failing again, I'll
> scour the logs for clues.  Thanks.
>

Hopefully it will work, but I am not holding my breath ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP-DNS problems

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 8 Jan 2018 17:14:57 +0000
Kristján Valur Jónsson <[hidden email]> wrote:

> On 2 January 2018 at 17:03, Rowland Penny via samba
> <[hidden email]> wrote:
>
> >
> > smb.conf seems to be missing 'idmap_ldb:use rfc2307  = yes'
> >
> > Is this necessary?  The recent windows remote tools lack the
> > ability to
> easily edit these fields.
> Also, see this from the wiki,
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
> "It is recommended not to use those mappings on the DCs. The default
> idmap ldb mechanism is fine for domain controllers and less error
> prone."
>

You can add 'idmap_ldb:use rfc2307  = yes' to DCs, the main problem is
that a DC can only obtain the users uidNumber and primarygroupid from
AD.
If you use the default idmap ldb on DCs, this also has problems, you
are very likely to get different ID numbers on different DCs unless you
sync idmap.ldb from the first DC to all others, You will also get yet
another ID on Unix domain members if you use the winbind 'rid' backend.
The only way to get consistent IDs everywhere is to use the winbind
'ad' backend.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba